cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1598
Views
0
Helpful
7
Replies

certifcate end date on router is wrong

IntegratedWorks
Beginner
Beginner

We have a DMVPN envirement which is using certificate authentication for the spoke routers.

I want to check the certificate end dates with the certificate check TCL script.

The only issue i have is that the CA certificate shows an end date year of 1903 with the "show crypto pki certificate".

When i copy the certificate to tftp and open it on my pc the end date year is 2039.

 

This happens on all the spoke routers which are different models within the 800 serie.

 

When the script is now running it always send a syslog message that the certificate is expired.

 

I tried updating the IOS and i can't use piping within tcl scripts.

 

How can i solve this issue?

7 Replies 7

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hi,

This may be a surprising request but do you believe you could actually post the certificate here? I would like to inspect the specific contents of its Start/End Validity elements. There is a possibility that their value is so much beyond any reasonable date that the IOS probably experiences some kind of overflow.

Best regards,
Peter

I understand you'd like to analuyse that but i can't post the certificate itself here.

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hi,

You should understand that a certificate is by itself a public document, and there is no reason of keeping it secret, as it cannot be counterfeited (to do that, you would need to steal the private key of the issuing certificate authority or break the RSA cipher - none of that is possible). I am not asking for the certificate owner's private key, only for the certificate itself.

In any case, if your regulations do not allow you to make it public, can you please at least use a decent Linux box and post the output of the following command?

openssl x509 -text -in certificate-filename.pem | grep Not

assuming you have the certificate in the PEM format saved in the certificate-filename.pem file.

Thanks!

Best regards,
Peter

That command gives the following output:

            Not Before: Mar 11 14:03:41 2009 GMT
            Not After : Mar 11 14:13:38 2039 GMT

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hi,

Okay. Now, you are saying that Cisco devices you are using report the certification expiration date to be placed back at 1903. Do you have an option of creating another certificate whose expiry date is, say, 2015 or 2020, and try importing that one? I really have a feeling that we are dealing here with some kind of integer overflow.

Best regards,
Peter

 

The certificate for the authentication process, which has a valid periode of 3 years, is showing the correct year.

 

I'll try to upload an certificate with a longer valid periode and check how the year is being displayed.

mario.jost
Participant
Participant

Hey there, i have the same problem as you had with the wrong end date. I created a new topic to shed some new light to an old topic:

https://supportforums.cisco.com/t5/vpn/pki-certificates-with-wrong-end-date/m-p/3360204#M121889

How did you solve your problem? Would be glad if you could share your solution with us. Thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers